[aprssig] Igateing a Non Amateur

Steve Dimse steve at dimse.com
Sat Oct 1 16:59:02 EDT 2005 

On Oct 1, 2005, at 4:00 PM, James wrote:

> Unfortunately Steve this is one of the flaws in WinAPRS, unlike UI- 
> View there is NO validation code needed to send to a server to be  
> gated to RF.

You have this backward. The programmer's registration is more easily  
concealed, being in the possession of only one person, than the  
validation algorithm which is public knowledge. WinAPRS unfortunately  
has sufferred from a crack having been performed that has resulted in  
a single validated registration becoming public knowledge. Crack  
sites have thousands of passwords for different versions of different  
programs, this is hardly a unique situation.

However, anyone can install UI-View, use any of the many available  
APRS IS validation generating programs or web sites, and come online  
with any callsign. On the other hand, to masquerade as a different  
call with WinAPRS, a crack needed to be performed on the user password.
>
> The registration is all you need, the generator creates the code  
> and the default name is NITRUS, once you run the program then you  
> can change the name to your call and it will stay. In fact there is  
> a few crackz websites that list a code with the NITRUS for the  
> default name.

The registration number is keyed to the callsign. You must enter both  
and they must match. Your registration number is different than mine.  
If I stole your WinAPRS reg number, I could go online as you. I could  
not use your number to make the program act validated under my call,  
unless...

I just tried in MacAPRS to change my callsign and then connect to  
APRS IS. This results in an unvalidated connection, as it should.  
Perhaps WinAPRS works differently in this regard (I know the   
registrations numbers are not interchangable)... I can see how code  
could be written in such a way that registration was only checked at  
startup (or even just when entering the number), and that a callsign  
change after that point would result in the validation number being  
generated on the new callsign rather than on the registered callsign.  
In this case, WinAPRS becomes exactly as insecure in this regard as  
UI-View. Can anyone prove it by coming online as, say K4HG-14 with  
WinAPRS? This is worst case, one could indeed then use WinAPRS to  
have a validated connection as any callsign... exactly as one has  
been able to do with UI-View since the algorithm became public.
>
> WinAPRS also uses the registration code to SAVE the settings that  
> you input into the program, you can still use it without reg codes  
> but every time you close the program all your stats are erased.

Yes, but in this mode, if you connect to the APRS IS it is as an  
unvalidated user.
>
> Issuing new passwords will not solve this problem, as soon as a  
> program is released there is a work around within a few hours if  
> not minutes.
> This includes UI-View and WinAPRS and whatever else you can think of.

I'm surprised there was even one crack of WinAPRS, they used a 9 or  
10 digit number, so maybe there was a lucky guess, or a generated  
password got lost or stolen (though I can't see why there would have  
been a password generated for this call), or their algorithm was  
poorly chosen making a mathematical attack possible. Brute force  
seems unlikely with the number of digits used. A new algorithm will  
fix things if there was a flaw in the algorithm, making future  
versions secure from the attack that generated this call/pass pair.

You are right that there is nothing that can be done to put the cat  
back into the bag...the cracked password will always work with  
earlier versions of the program, and nothing can be erased from the  
net. A new new password algorithm is just about protecting future  
versions.
>
> The validation code is the best way to prevent non hams to be  
> gated, it is also not perfect but it is a larger wall of defense.

NO NO NO NO!

The validation number is absolutely zero protection, it is a publicly  
available algorithm. It was never meant to be secure (no 15 bit hash  
can be considered secure in any way), just to pass muster with the  
FCC. Initially four people knew it (Brent, the Sprouls, and I), Dale  
made five when aprsd was released, later Roger made six. My public  
release of the algorithm was specifically designed to prevent the  
illusion that there was any defense in the validation number. For the  
reasons I explained the insecurity prior to the release of the  
algorithm was because the network was a sprawling mess, with far too  
many hubs to assure that there was not a rogue hub... if the back  
door and all the windows are wide open, it does not matter that the  
front door is locked!

So please lose this misplaced trust in the validation number, it is  
meaningless!

Steve K4HG

More information about the aprssig mailing list